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Mitigating Control Lifecycle 


A high amount of time during a SAP GRC project will be spent on defining processes andresponsibilities. My suggestion is 


to think in lifecycles for getting a better understanding of the processes and who is taking over the responsibilty. 


In this post I would like to clarify the lifecycle of Mitigating Controls. I have groupedthem into four steps Create, Change, 


Delete and Review. Please see for each step expected Tasks and who is involved. 


On request from Colleen I have additionally added the RACI matrix to see who 
is Responsible, Accountable, Consulted and Informed for each step. Please be aware that this is very much depending on the 
point of view and can be different in yourorganization. My considerations are commonsense and pretty much of thinking in 


smoothprocesses throughout a global enterprise. 


Creation of Mitigating Controls Create 


| \ 


e Control description 
e Control execution Review Cha nge 
e Control approver and control monitor 


e Documentation of control execution 


e Reports used to monitor the risk N 
Delete 
Involved functions 


e Control Owner 


Tasks 
Define the control including: 


N 


e Internal Control responsible 


e SAP GRC responsible 


Creation of Mitigating 
Controls 


Changing of Mitigating Controls 
Tasks 
Change the control for example: 
e Control description 
e Control execution 
e Control approver and control monitor 
e Documentation of control execution 
e Reports used to monitor the risk 


Involved functions 


e Control owner 
e Internal Control responsible 


e SAP GRC responsible 
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Deletion of Mitigation Controls 
Tasks 


e Delete the mitigating control within SAP GRC AC 
e Document the decision of deletion of the mitigating control 
Involved functions 
Changing of Mitigating 
Controls 


Control description EE 
Control execution a) 
Control approver and control monitor EB 


e Control Owner 
e Internal Control responsible 


e SAP GRC responsible 


Documentation of control execution 


Reports used to monitor the risk 


Reviewing of Mitigating Controls 
Tasks 


e Analyse if maintained controls within SAP GRC are still valid 


e Analyse if the mitigating controls are covering the risk fully 
Deletion of Mitigating Controls 


Delete the mitigating control within SAP GRC AC IJA] 
Documentthe decision of deletion of the mitigating control EIR] 


Involved functions 


e Control owner 
e Internal Control responsible 


e SAP GRC responsible 


Reviewing of Mitigating Controls 
Analyse if maintained controls within SAP GRC are still valid 


Analyse ifthe mitigating controls are covering the risk fully 


Test the effectiveness of the mitigating controls 


If you want to have further information or contribute in this blog post do not hesitate to 


contact me or reply to this post directly. 
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